Connectivity Test: AKS Cluster failing node-to-node-encryption

[jpayne3506]

Bug report

General Information This result occurs on 3 different agent versions: v1.12.10, v1.4.3, v1.15.0 (nightly release)

• Cilium CLI version (run cilium version) v0.15.12
• Orchestration system version in use (e.g. kubectl version, ...) Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.1", GitCommit:"4c9411232e10168d7b050c49a1b59f6df9d7ea4b", GitTreeState:"clean", BuildDate:"2023-04-14T13:21:19Z", GoVersion:"go1.20.3", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v5.0.1 Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.10", GitCommit:"b8609d4dd75c5d6fba4a5eaa63a5507cb39a6e99", GitTreeState:"clean", BuildDate:"2023-10-23T16:10:33Z", GoVersion:"go1.20.10", Compiler:"gc", Platform:"linux/amd64"}
• Platform / infrastructure information (e.g. AWS / Azure / GCP, image / kernel versions) AKS
• Link to relevant artifacts (policies, deployments scripts, ...)
• Generate and upload a system zip: cilium sysdump cilium-sysdump-20231110-093605.zip

How to reproduce the issue

1. instruction 1 cilium connectivity test --test node-to-node-encryption -d -v Result: [-] Scenario [node-to-node-encryption/node-to-node-encryption] 🐛 node-to-node-encryption test running in sanity mode, expecting unencrypted packets 🐛 Running /bin/sh -c ip -o route get 10.10.0.5 from 192.168.1.94 iif lo | grep -oE 'dev [^ ]' | cut -d' ' -f2 🐛 Running in bg: tcpdump -i eth0 --immediate-mode -w /tmp/node-to-node-encryption-host-netns-zh6p2.pcap src host 192.168.1.94 and icmp and dst host 10.10.0.5 [.] Action [node-to-node-encryption/node-to-node-encryption/ping-ipv4: cilium-test/client-c4bfddc44-24nrv (192.168.1.94) -> cilium-test/host-netns-jm8gf (10.10.0.5:0)] 🐛 Executing command [ping -c 1 -W 2 -w 10 10.10.0.5] ❌ Expected to see unencrypted packets, but none found. This check might be broken 📄 No flows recorded for peer cilium-test/client-c4bfddc44-24nrv during action ping-ipv4 📄 No flows recorded for peer cilium-test/host-netns-jm8gf during action ping-ipv4 🐛 Running /bin/sh -c ip -o route get 10.10.0.5 from 10.10.0.4 | grep -oE 'dev [^ ]' | cut -d' ' -f2 🐛 Running in bg: tcpdump -i eth0 --immediate-mode -w /tmp/node-to-node-encryption-host-netns-zh6p2.pcap src host 10.10.0.4 and icmp and dst host 10.10.0.5 🐛 Running /bin/sh -c ip -o route get 10.10.0.4 from 10.10.0.5 | grep -oE 'dev [^ ]' | cut -d' ' -f2 🐛 Running in bg: tcpdump -i eth0 --immediate-mode -w /tmp/node-to-node-encryption-host-netns-jm8gf.pcap src host 10.10.0.5 and icmp and dst host 10.10.0.4 [.] Action [node-to-node-encryption/node-to-node-encryption/ping-ipv4: cilium-test/host-netns-zh6p2 (10.10.0.4) -> cilium-test/host-netns-jm8gf (10.10.0.5:0)] 🐛 Executing command [ping -c 1 -W 2 -w 10 10.10.0.5] 🐛 Running /bin/sh -c ip -o route get 192.168.0.107 from 10.10.0.4 | grep -oE 'dev [^ ]' | cut -d' ' -f2 🐛 Running in bg: tcpdump -i eth0 --immediate-mode -w /tmp/node-to-node-encryption-host-netns-zh6p2.pcap src host 10.10.0.4 and tcp and dst host 192.168.0.107 [.] Action [node-to-node-encryption/node-to-node-encryption/curl-ipv4: cilium-test/host-netns-zh6p2 (10.10.0.4) -> cilium-test/echo-other-node-64b998965-6d7pm (192.168.0.107:8080)] 🐛 Executing command [curl -w %{local_ip}:%{local_port} -> %{remote_ip}:%{remote_port} = %{response_code} --silent --fail --show-error --output /dev/null --connect-timeout 2 --max-time 10 http://192.168.0.107:8080] 🐛 Finalizing Test node-to-node-encryption

Features Enabled/General system information: 🐛 Detected features: 🐛 cidr-match-nodes: Disabled 🐛 cilium-network-policy: Enabled 🐛 cni-chaining: Disabled:none 🐛 enable-envoy-config: Disabled 🐛 enable-gateway-api: Disabled 🐛 enable-ipv4-egress-gateway: Disabled 🐛 encryption-node: Disabled 🐛 encryption-pod: Disabled:disabled 🐛 endpoint-routes: Enabled 🐛 flavor: Enabled:aks 🐛 health-checking: Disabled 🐛 host-firewall: Disabled 🐛 host-port: Enabled 🐛 icmp-policy: Enabled 🐛 ingress-controller: Disabled 🐛 ipv4: Enabled 🐛 ipv6: Disabled 🐛 k8s-network-policy: Enabled 🐛 kpr-external-ips: Enabled 🐛 kpr-graceful-termination: Enabled 🐛 kpr-hostport: Enabled 🐛 kpr-mode: Enabled:Strict 🐛 kpr-nodeport: Enabled 🐛 kpr-session-affinity: Enabled 🐛 kpr-socket-lb: Enabled 🐛 l7-proxy: Disabled 🐛 monitor-aggregation: Enabled:medium 🐛 mutual-auth-spiffe: Disabled 🐛 node-without-cilium: Disabled 🐛 secret-backend-k8s: Disabled 🐛 tunnel: Disabled:vxlan 🐛 wireguard-encapsulate: Disabled ℹ️ Monitor aggregation detected, will skip some flow validation steps ℹ️ Skipping tests that require a node Without Cilium 🐛 Validating Deployments... ⌛ [ciliumnightly-816c6c11] Waiting for deployment cilium-test/client to become ready... ⌛ [ciliumnightly-816c6c11] Waiting for deployment cilium-test/client2 to become ready... ⌛ [ciliumnightly-816c6c11] Waiting for deployment cilium-test/echo-same-node to become ready... ⌛ [ciliumnightly-816c6c11] Waiting for deployment cilium-test/echo-other-node to become ready... ⌛ [ciliumnightly-816c6c11] Waiting for CiliumEndpoint for pod cilium-test/client-c4bfddc44-24nrv to appear... ⌛ [ciliumnightly-816c6c11] Waiting for CiliumEndpoint for pod cilium-test/client2-5c6c769648-c6jzw to appear... ⌛ [ciliumnightly-816c6c11] Waiting for pod cilium-test/client-c4bfddc44-24nrv to reach DNS server on cilium-test/echo-same-node-5988bfdbc-m7xqx pod... ⌛ [ciliumnightly-816c6c11] Waiting for pod cilium-test/client2-5c6c769648-c6jzw to reach DNS server on cilium-test/echo-same-node-5988bfdbc-m7xqx pod... ⌛ [ciliumnightly-816c6c11] Waiting for pod cilium-test/client-c4bfddc44-24nrv to reach DNS server on cilium-test/echo-other-node-64b998965-6d7pm pod... ⌛ [ciliumnightly-816c6c11] Waiting for pod cilium-test/client2-5c6c769648-c6jzw to reach DNS server on cilium-test/echo-other-node-64b998965-6d7pm pod... ⌛ [ciliumnightly-816c6c11] Waiting for pod cilium-test/client-c4bfddc44-24nrv to reach default/kubernetes service... ⌛ [ciliumnightly-816c6c11] Waiting for pod cilium-test/client2-5c6c769648-c6jzw to reach default/kubernetes service... ⌛ [ciliumnightly-816c6c11] Waiting for CiliumEndpoint for pod cilium-test/echo-other-node-64b998965-6d7pm to appear... ⌛ [ciliumnightly-816c6c11] Waiting for CiliumEndpoint for pod cilium-test/echo-same-node-5988bfdbc-m7xqx to appear... ⌛ [ciliumnightly-816c6c11] Waiting for Service cilium-test/echo-other-node to become ready... ⌛ [ciliumnightly-816c6c11] Waiting for Service cilium-test/echo-other-node to be synchronized by Cilium pod kube-system/cilium-rxbwp ⌛ [ciliumnightly-816c6c11] Waiting for Service cilium-test/echo-same-node to become ready... ⌛ [ciliumnightly-816c6c11] Waiting for Service cilium-test/echo-same-node to be synchronized by Cilium pod kube-system/cilium-rxbwp ⌛ [ciliumnightly-816c6c11] Waiting for NodePort 10.10.0.4:31195 (cilium-test/echo-same-node) to become ready... ⌛ [ciliumnightly-816c6c11] Waiting for NodePort 10.10.0.4:30233 (cilium-test/echo-other-node) to become ready... ⌛ [ciliumnightly-816c6c11] Waiting for NodePort 10.10.0.5:30233 (cilium-test/echo-other-node) to become ready... ⌛ [ciliumnightly-816c6c11] Waiting for NodePort 10.10.0.5:31195 (cilium-test/echo-same-node) to become ready... ℹ️ Skipping IPCache check 🔭 Enabling Hubble telescope... ⚠️ Unable to contact Hubble Relay, disabling Hubble telescope and flow validation: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp 127.0.0.1:4245: connect: connection refused" ℹ️ Expose Relay locally with: cilium hubble enable cilium hubble port-forward& ℹ️ Cilium version: 1.15.0 🐛 Registered connectivity tests: 🐛 <Test no-policies, 8 scenarios, 0 CNPs, expectFunc > 🐛 <Test no-policies-extra, 2 scenarios, 0 CNPs, expectFunc > 🐛 <Test allow-all-except-world, 5 scenarios, 1 CNPs, expectFunc > 🐛 <Test client-ingress, 1 scenarios, 1 CNPs, expectFunc 0x2752380> 🐛 <Test client-ingress-knp, 1 scenarios, 0 CNPs, expectFunc 0x27525a0> 🐛 <Test allow-all-with-metrics-check, 1 scenarios, 0 CNPs, expectFunc 0x27516a0> 🐛 <Test all-ingress-deny, 2 scenarios, 1 CNPs, expectFunc 0x2751380> 🐛 <Test all-ingress-deny-knp, 2 scenarios, 0 CNPs, expectFunc 0x2750d40> 🐛 <Test all-egress-deny, 2 scenarios, 1 CNPs, expectFunc 0x27527c0> 🐛 <Test all-egress-deny-knp, 2 scenarios, 0 CNPs, expectFunc 0x27528a0> 🐛 <Test all-entities-deny, 2 scenarios, 1 CNPs, expectFunc 0x2752980> 🐛 <Test cluster-entity, 1 scenarios, 1 CNPs, expectFunc 0x2752a60> 🐛 <Test host-entity, 1 scenarios, 1 CNPs, expectFunc 0x2752c20> 🐛 <Test echo-ingress, 1 scenarios, 1 CNPs, expectFunc 0x2752d00> 🐛 <Test echo-ingress-knp, 1 scenarios, 0 CNPs, expectFunc 0x27531c0> 🐛 <Test client-ingress-icmp, 1 scenarios, 1 CNPs, expectFunc 0x2753420> 🐛 <Test client-egress, 1 scenarios, 1 CNPs, expectFunc > 🐛 <Test client-egress-knp, 1 scenarios, 0 CNPs, expectFunc > 🐛 <Test client-egress-expression, 1 scenarios, 1 CNPs, expectFunc > 🐛 <Test client-egress-expression-knp, 1 scenarios, 0 CNPs, expectFunc > 🐛 <Test client-with-service-account-egress-to-echo, 1 scenarios, 1 CNPs, expectFunc > 🐛 <Test client-egress-to-echo-service-account, 1 scenarios, 1 CNPs, expectFunc 0x2753640> 🐛 <Test to-entities-world, 1 scenarios, 1 CNPs, expectFunc 0x27537e0> 🐛 <Test to-cidr-external, 1 scenarios, 1 CNPs, expectFunc 0x2750980> 🐛 <Test to-cidr-external-knp, 1 scenarios, 0 CNPs, expectFunc 0x2750720> 🐛 <Test echo-ingress-from-other-client-deny, 3 scenarios, 3 CNPs, expectFunc 0x2753a40> 🐛 <Test client-ingress-from-other-client-icmp-deny, 2 scenarios, 3 CNPs, expectFunc 0x2753ca0> 🐛 <Test client-egress-to-echo-deny, 2 scenarios, 3 CNPs, expectFunc 0x2753f00> 🐛 <Test client-ingress-to-echo-named-port-deny, 2 scenarios, 3 CNPs, expectFunc 0x2754180> 🐛 <Test client-egress-to-echo-expression-deny, 2 scenarios, 3 CNPs, expectFunc 0x27543e0> 🐛 <Test client-with-service-account-egress-to-echo-deny, 2 scenarios, 3 CNPs, expectFunc 0x2754640> 🐛 <Test client-egress-to-echo-service-account-deny, 1 scenarios, 3 CNPs, expectFunc 0x27548a0> 🐛 <Test client-egress-to-cidr-deny, 1 scenarios, 2 CNPs, expectFunc 0x27500e0> 🐛 <Test client-egress-to-cidr-deny-default, 1 scenarios, 1 CNPs, expectFunc 0x274fd40> 🐛 <Test health, 1 scenarios, 0 CNPs, expectFunc > 🐛 <Test north-south-loadbalancing, 1 scenarios, 0 CNPs, expectFunc > 🐛 <Test pod-to-pod-encryption, 1 scenarios, 0 CNPs, expectFunc > 🐛 <Test node-to-node-encryption, 1 scenarios, 0 CNPs, expectFunc > 🐛 <Test egress-gateway-excluded-cidrs, 1 scenarios, 0 CNPs, expectFunc > 🐛 <Test pod-to-node-cidrpolicy, 1 scenarios, 0 CNPs, expectFunc > 🐛 <Test north-south-loadbalancing-with-l7-policy, 1 scenarios, 1 CNPs, expectFunc > 🐛 <Test echo-ingress-l7, 1 scenarios, 1 CNPs, expectFunc 0x2754a40> 🐛 <Test echo-ingress-l7-named-port, 1 scenarios, 1 CNPs, expectFunc 0x2754d80> 🐛 <Test client-egress-l7-method, 2 scenarios, 2 CNPs, expectFunc 0x27550c0> 🐛 <Test client-egress-l7, 2 scenarios, 2 CNPs, expectFunc 0x274f6e0> 🐛 <Test client-egress-l7-named-port, 2 scenarios, 2 CNPs, expectFunc 0x274f1a0> 🐛 <Test client-egress-l7-tls-deny-without-headers, 1 scenarios, 1 CNPs, expectFunc 0x27553e0> 🐛 <Test client-egress-l7-tls-headers, 1 scenarios, 1 CNPs, expectFunc 0x27554c0> 🐛 <Test client-egress-l7-set-header, 2 scenarios, 1 CNPs, expectFunc 0x27555a0> 🐛 <Test echo-ingress-auth-always-fail, 1 scenarios, 1 CNPs, expectFunc 0x27557e0> 🐛 <Test echo-ingress-mutual-auth-spiffe, 1 scenarios, 1 CNPs, expectFunc > 🐛 <Test pod-to-ingress-service, 1 scenarios, 0 CNPs, expectFunc > 🐛 <Test pod-to-ingress-service-deny-all, 1 scenarios, 1 CNPs, expectFunc 0x27558c0> 🐛 <Test pod-to-ingress-service-allow-ingress-identity, 1 scenarios, 2 CNPs, expectFunc > 🐛 <Test dns-only, 2 scenarios, 1 CNPs, expectFunc 0x27559a0> 🐛 <Test to-fqdns, 2 scenarios, 1 CNPs, expectFunc 0x274e9c0>

[kolovo]

We are having the same issue on a vanilla installation of k8s with kubespray (v2.23.1) , cilium deployed with helm(v 1.14.3) and cilium-cli: v0.15.14 on baremetal.

[giorio94]

@jpayne3506 Thanks for the detailed report. I managed to reproduce your issue, which seems to be specific to Azure CNI Powered by Cilium because, differently to what happens normally in native routing configurations, pod to node traffic gets masquerated. In any case, that error is a sanity check of that specific connectivity test, and it is safe to ignore as no encryption is enabled in the cluster.

@kolovo Your issue seems a different one, although possibly related. Could you please provide the output of cilium connectivity test --test node-to-node-encryption -d -v and the sysdump for further investigation?